AWS/Elasticsearch Backend Security Clarification


I’m currently in the process of migrating from the hibernate search 5.10.6.Final to version 6.1.2.Final (or newer pending timing). We’re currently using an AWS Elasticsearch backend and were using the static method for AWS signing and would like to move the security model to IRSA.

The docs appear to support this - but the listing for the default credential providers does not include the WebIdentityTokenCredentialsProvider. According to the latest docs in AWS for the awsdk version of the APIs - the default lookup chain is:

AWS credentials provider chain that looks for credentials in this order:

  • Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (RECOMMENDED since they are recognized by all the AWS SDKs and CLI except for .NET), or AWS_ACCESS_KEY and AWS_SECRET_KEY (only recognized by Java SDK)
  • Java System Properties - aws.accessKeyId and aws.secretKey
  • Web Identity Token credentials from the environment or container
  • Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI
  • Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable is set and security manager has permission to access the variable,
  • Instance profile credentials delivered through the Amazon EC2 metadata service

My question is - if I pull the following dependency (latest version for AWS vs the java namespaced older versions):

I’m assuming hibernate search will just use THAT default credentials provider chain and be happy?

Thanks for any insight!




The docs were just copy/pasted from the AWS docs when the feature was introduced. It seems we’ll have to update them. EDIT: created [HSEARCH-4554] - Hibernate JIRA to address this.

Hibernate Search just uses by default. If that class was updated and does what you want, then you should be good to go.

Thanks! Appreciate the fast reply. Fantastic response times…everytime!

1 Like